Skip to main content
Sumo Logic

Searching for CSE Records in Sumo Logic

Learn how to search Sumo Logic’s Continuous Intelligence Platform (CIP) for Records that have been forwarded from CSE.


This topic has information about how to search the Sumo Logic platform for Records that have been forwarded from CSE. For more information about performing log searches in Sumo Logic, see Search Basics.

Sumo Logic indexes that contain CSE Records

In CSE, normalized Records are categorized by Record type, for example Audit, Authentication, Network, NetworkDHCP, and so on. For a full list, see CSE Record Types.   

In Sumo Logic, Records are stored in indexes, which are indexes that enable better search performance. The table below shows which index each Record type is stored in. Note that some indexes contain multiple Record types.

CSE Record type Sumo Logic index
Audit sec_record_audit
AuditChange sec_record_audit
AuditFile sec_record_audit
AuditResourceAccess sec_record_audit
Authentication sec_record_authentication
AuthenticationPrivilegeEscalation sec_record_authentication
Email sec_record_email
Endpoint sec_record_endpoint
EndpointModuleLoad sec_record_endpoint
EndpointProcess sec_record_endpoint
Network sec_record_network
NetworkDHCP sec_record_network
NetworkDNS sec_record_network
NetworkFlow sec_record_network
NetworkHTTP sec_record_network
NetworkProxy sec_record_network
Notification sec_record_notification
NotificationVulnerability sec_record_notification


There is a separate index for forwarded raw messages for which Records were not created, because no log mapper was available.   

CSE Record Type Sumo Logic Index
FailedRecord sec_record_failure

Searching Records

To  search a Sumo Logic index, you specify the name of the index using _index= <index_name>. The sections below provide instructions for scoping a search so that it returns the Records you’re interested in.

Open a log search tab

To open a log search tab in Sumo Logic, click + New and select Log Search.

0.png

Search all Records in a index 

To return all the Records in a index, all you need to include in your query is the index name. For example, to search all Records in the sec_record_network index, choose a time range, enter this query, and click Start:

_index=sec_record_network

1-annotated.png

Note that:

  • The query returns all of the Record types that are stored in the index: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
  • By default, two Record fields are displayed: Time and Message. You can display additional fields by checkmarking desired fields in the Hidden Fields area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section. 

Save a query with predefined display fields

You can use the fields operator to choose the fields you want to be displayed when you run the search. You can add additional fields to those that are displayed by default. 

To add display fields 

This query adds the objectType (which contains the Record type) and the user_username fields to the displayed output:

_index = sec_record_audit
| fields objectType, user_username

added-fields.png

To save a search

To save the query for future use, click Save As below the query, name the query, and then click Save.

save.png

Search multiple indexes

You can search multiple indexes by using OR in the query. For example, to search all Records in the sec_record_audit and sec_record_network indexes: 

_index = sec_record_audit OR _index = sec_record_network

Search all Record indexes

To search all Records in all of the indexes that contain CSE Records, use an asterisk wildcard.

_index = sec_record_*

Query by Record type

The objectType field in a Record indicates its Record type. To restrict results to a particular Record type, use _index to identify the index that contains that Record type, and objectType to specify the Record type. For example, to search for NetworkHTTP Records in the sec_record_network index:

_index = sec_record_network objectType=NetworkHTTP

Return a count of Records by Record type 

You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all indexes that contain CSE Records, and count the results by objectType, which contains the Record type. The following query returns the count of Records of each type. 

_index = sec_record_*
| count as Total _view, objectType
| order by Total

agg-by-record-type.png

Search by keyword

The indexes that contain CSE Records don’t have an associated raw message. For this reason, you can’t run a direct keyword search against those Records as you can with other Sumo Logic data sources. You can however, search the fields field, which contains a JSON object of all Record fields and values. The following trivial example query returns all Records in the sec_record_authentication index that contain the string “false”:

_index=sec_record_authentication fields=*false*
| fields fields

Limitations

When you use wildcards for field values in a query scope, only Records in which those fields are present and not null will be returned. For example, the following query will only return Records if the srcDevice_ip is present and not null:

_index = sec_record_* srcDevice_ip=*